Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenDMARC Authentication-Results parsing doesn't adhere to RFC's, causing valid data to be ignored or listed as invalid #238

Open
MrPeteH opened this issue Apr 11, 2023 · 0 comments
Open

OpenDMARC Authentication-Results parsing doesn't adhere to RFC's, causing valid data to be ignored or listed as invalid #238

MrPeteH opened this issue Apr 11, 2023 · 0 comments

Comments

@MrPeteH
Copy link

MrPeteH commented Apr 11, 2023

Various RFC-compliant DKIM and ARC softwares produce headers that OpenDMARC has a hissy fit about. I've tracked down the issue to lack of RFC compliance in OpenDMARC header parsing. This issue report provides a few sample headers that OpenDMARC doesn't like, then describes the challenge in some specificity. (FWIW, the same problem exists in OpenARC parsing.)

SUMMARY OF TWO KEY PARSE ISSUES

  1. OpenDMARC doesn't parse CFWS whitespace properly (Folding White Space and Comments.) This ABNF is ubiquitous in key headers.
  2. OpenDMARC doesn't parse AuthServe-ID as dot-atom - appears to assume it is FQDN?

SAMPLES CAUSING TROUBLE (ALL are RFC-compliant headers)

  1. Produced by OpenDKIM on my own server. (Problem: the comment is standard CFWS and breaks parsing)

     dkim=pass (1024-bit key; unprotected) header.d=their.dom.ain [email protected] header.a=rsa-sha256 header.s=1000073432 header.b=eKmreZ4p;
 dkim-atps=neutral

  2. Produced by DKIM on a popular hosting service (not sure what SW they use) (Problem: the AuthServe-ID is dot-atom)

     rspamd-786cb55f77-65p7t;
 auth=pass smtp.auth=sample-host [email protected]

etc.

DISCUSSION OF THE ISSUE
AFAIK (from experience -- see above -- and code examination), OpenDMARC parsing is not RFC-compatible with CFWS. What's that?

(ARC-)Authentication-Results header definition ABNF make many references to RFC 5322 CFWS -- Folding White Space and Comments -- which is essentially folded white space plus any amount of [ \t\n] white space plus optional, nestable, () comments which can contain any text at all other than "(", ")" or "\".

Here are ABNF references in the RFC's:

As a dev, that sounds complex to me. I searched for some help towards a functioning implementation. To get us started, here is a regexp definition for CFWS, extracted from http://www.watersprings.org/pub/id/draft-seantek-mail-regexen-01.html#rfc.section.3.2

(?(DEFINE)
 (?<FWS>(?:[\t ]*\r\n)?[\t ]+)
 (?<CFWS>(?:(?&FWS)?(?&comment))+(?&FWS)?|(?&FWS))
 (?<ctext>[!-'*-\[\]-~])
 (?<ccontent>(?&ctext)|(?&quoted_pair)|(?&comment))
 (?<comment>\((?:(?&FWS)?(?&ccontent))*(?&FWS)?\))
 (?<quoted_pair>\\[ -~])
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MrPeteH